Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

PowerBI uses hard-coded service principals for Azure AD authentication

This issue is similiar to what is described here:

https://github.com/microsoft/azuredatastudio/issues/19905

 

In case SQL connections  with of federated authentication (e.g. OAuth against Azure AD) following functionality should be provided by any SQL Client: According to the documentation (https://learn.microsoft.com/en-us/sql/relational-databases/security/authentication-access/azure-ad-a...) and the TDS Protokol specification the Server should be able to specify the STS and SPN (Service Principle Name) used by the client for the security token acquisition.

 

Described functionality works fine in Power BI Desktop. When publishing a dashboard to PowerBI Cloud a hardcoded SPN (https://database.windows.net/) is used which causes authentication issues in downstream processes. This problem has been reproduced in the "local Gateway" configuration.

Status: Needs Info

Hi @meiaestro 

You mentioned that this problem has been reproduced in the "local Gateway" configuration. Can you explain it in detail ? Or you can provide the error message in Power BI Service .

 

Best Regards,
Community Support Team _ Ailsa Tao

Comments
v-yetao1-msft
Community Support
Status changed to: Needs Info

Hi @meiaestro 

You mentioned that this problem has been reproduced in the "local Gateway" configuration. Can you explain it in detail ? Or you can provide the error message in Power BI Service .

 

Best Regards,
Community Support Team _ Ailsa Tao

meiaestro
Regular Visitor

Hi @v-yetao1-msft ,

 

We have tried to configure a) a VNet for direct access to our cloud service and b) a local Gateway installed on one of our physical machines. Setting up the connection to the gateways works fine in both cases. Connection tests are successful in both cases.

 

When it comes to actual data access, we can see in our logs that PowerBI correctly receives the information about which SPN and STS_Url should be used for the token acquisition. We further can see in our logs that PowerBi sends a token with an obviously hardcoded SPN ("https://database.windows.net/") ignoring the one defined by the server. This of course leads to the following error message when downstream API calls are executed using the provided token:

 

Authentication error in Federated Authentication Ticket Service: AADSTS500131: Assertion audience does not match the Client app presenting the assertion. The audience in the assertion was 'https://database.windows.net/' and the expected audience is '***ID REMOVED***' or one of the Application Uris of this application with App ID '***ID REMOVED***'(***NAME REMOVED***). The downstream client must request a token for the expected audience (the application that made the OBO request) and this application should use that token as the assertion.

 

The expected behaviour would be the following:

- PowerBi send Login Request to server

- Server provides application specific SPN and STS_Url

- PowerBi uses provided SPN and STS_url to acquire an access token from Azure AD

- PowerBi sends this token to server

- Server can use the token for downstream API calls.

--> this works fine for PowerBi Desktop (and many other SQL clients), but does not work in PowerBi online.

 

Thanks a lot.

 

Best regards,

Joerg 

meiaestro
Regular Visitor

Hi @v-yetao1-msft  ,

 

did my reply help you to better understand the issue?

 

Best,

Joerg